OCC third-party risk management — interagency guidance

The Interagency Guidance on Third-Party Relationships: Risk Management, jointly issued by the OCC, FDIC, and Federal Reserve in June 2023, is the rubric every U.S. federal bank examiner now uses when reviewing how a bank manages its fintech, technology, and service-provider relationships. It replaced earlier OCC, FDIC, and Federal Reserve guidance and harmonized expectations across the three regulators.

For fintechs operating behind sponsor banks, the guidance is the framework the sponsor bank's third-party risk team applies to your relationship. Every diligence question, every continuous-monitoring requirement, every contractual clause that has tightened since 2023 traces back to this document. Understanding what it requires — and what examiners specifically test — is essential to passing diligence and staying onboarded.

What the guidance replaced

Prior to June 2023, third-party risk management at banks was governed by three separate documents:

• OCC Bulletin 2013-29 (Risk Management Guidance for Third-Party Relationships).
• FDIC FIL-44-2008 (Guidance for Managing Third-Party Risk).
• Federal Reserve SR 13-19 (Guidance on Managing Outsourcing Risk).

The three documents were broadly aligned but had enough variation that banks supervised by multiple regulators (or operating across multiple charter types) faced inconsistent expectations. The 2023 Interagency Guidance harmonized all three into one framework that every federal bank examiner now uses.

The five lifecycle stages

The guidance organizes third-party risk management as a five-stage lifecycle. Each stage has its own expectations.

1. Planning

Before initiating a third-party relationship, the bank must define the activity, the risks the third party will manage or introduce, the strategic objective served, and the resources required to oversee the relationship. Planning documentation typically includes business case, risk assessment, and proposed contractual terms. Skipping this stage — entering relationships opportunistically — is a common finding.

2. Due diligence and third-party selection

Pre-contract diligence proportionate to the risk and complexity of the relationship. Higher-risk relationships — those involving customer data, regulated activity, or material operational dependency — require deeper diligence. Areas covered:

• Strategy and reputation
• Business experience and qualifications
• Financial condition
• Risk-management programs (information security, BSA/AML, consumer compliance)
• Information security and resilience
• Reliance on subcontractors (the "fourth-party" question)
• Insurance coverage
• Conflicts of interest

3. Contract negotiation

The contract must address the bank's right to review, monitor, and audit the third party's performance and compliance. Specific clauses the guidance highlights:

• Right to access records, conduct on-site reviews, and require independent audits.
• Performance metrics and service-level agreements.
• Information-security and incident-response obligations.
• Compliance with applicable laws and regulations.
• Subcontracting restrictions or notification requirements.
• Business-continuity and resilience obligations.
• Termination rights, including for cause and at the bank's convenience.
• Wind-down obligations protecting customer continuity.

4. Ongoing monitoring

This is the stage that has tightened most since the guidance landed. Ongoing monitoring is now expected to be continuous and risk-based, not periodic. Specific expectations:

• Real-time or near-real-time visibility into third-party performance and compliance metrics relevant to the activity.
• Periodic deep-dive testing on a risk-based schedule.
• Documented response to material events — security incidents, key personnel changes, regulatory inquiries, performance degradation.
• Trend analysis on the third party's portfolio risk and operating health.
• Ability to produce examination-grade evidence of the third party's activity on demand.

5. Termination

Termination must be planned in advance, with documented procedures for transferring or wind-down of the activity, customer-funds continuity, customer notification, and data preservation. The Synapse 2024 fallout demonstrated that ad-hoc termination causes the most customer harm; examiners now require advance termination planning before relationships begin.

Risk-based proportionality

The guidance is explicit that not every third-party relationship requires the same depth of diligence and monitoring. Banks are expected to apply a risk-based proportionality:

• Critical activities — those that, if disrupted, would significantly affect the bank's operations, customer base, or compliance posture — require the deepest diligence and the most intensive monitoring.
• Material activities — those that affect specific products, customer segments, or operational areas — require substantial diligence and regular monitoring.
• Other activities — those that present limited risk — require diligence and monitoring proportionate to the actual risk profile.

Fintech partner relationships almost always fall into "critical" or "material" categories because they touch customer funds, regulated activity, and the bank's reputational exposure. The guidance does not let banks classify a deposit-taking fintech as low-risk because the activity volume is small.

Enforcement patterns 2024-2026

Public consent orders against banks in the BaaS and fintech-partner space since 2023 share a recurring pattern of findings:

• Insufficient pre-relationship diligence. Bank entered or expanded a fintech relationship without completing the diligence the guidance requires for the risk level.
• Inadequate ongoing monitoring. The bank had contracts and onboarding documentation but lacked real-time visibility into the fintech's compliance health and could not produce on-demand examination evidence.
• Subcontractor blind spots. The fintech's own downstream vendors (KYC, KYB, fraud, infrastructure) were not within the bank's third-party risk perimeter, which the guidance specifically requires.
• Reconciliation gaps. The bank's ledger and the fintech's ledger could not be reconciled to a single per-customer view, leaving customer-fund attribution at risk.
• Insufficient board and senior-management oversight. The third-party risk function lacked the resources, authority, and reporting cadence the guidance expects.

Each finding has cascaded into operational changes the affected banks now require from every fintech partner — and increasingly from new sponsor banks adopting the same playbook prophylactically.

What fintechs must deliver

For a fintech inside the third-party-risk perimeter of a U.S. federal bank, the practical evidence requirements are:

• Diligence package. 200-400 pages or digital equivalent covering 11 areas (corporate, financial, management, infosec, BSA/AML, consumer compliance, operations, reconciliation, sub-vendor management, marketing, wind-down).
• Real-time compliance metrics. KYC pass rates, AML alert volumes and dispositions, sanctions hit rates, complaint volumes, system availability — exposed for sponsor-bank visibility.
• On-demand examination files. Complete customer files (onboarding, transactions, alerts, communications, changes) produced in hours, not days.
• Incident notification within hours. Security incidents, system outages, key personnel changes, regulatory inquiries.
• Sub-vendor diligence files. The fintech's own downstream vendors each have a maintained diligence file the sponsor bank can review.
• Wind-down plan. Written, tested procedures for funds-flow continuity, customer notification, and data preservation.

Evidence infrastructure

Across both sides of the relationship — the bank's third-party risk function and the fintech partner — the evidence infrastructure to satisfy the guidance needs four properties:

• Completeness. Every regulated decision and every monitoring data point captured with full context.
• Tamper-evidence. Records append-only, ideally hash-chained or WORM-stored.
• Framework-tagged. Records reference the third-party-risk lifecycle stage and the specific regulatory framework (BSA/AML, Reg E, GLBA, SOC 2 control reference) they satisfy.
• Exportable. Time-range, customer, framework, and event-type exports complete in minutes, not days.

These are the same four properties driving sponsor-bank continuous monitoring and examiner-grade audit trails. The infrastructure decision — build in-house, buy a compliance orchestration platform, or assemble from point tools — is one of the most consequential a fintech makes in the first 18 months of a sponsor-bank relationship.